Special Category Data

As a church, a lot of the data you hold and process will be related to religion and faith. This is one of a number of things which is afforded extra protection under existing data protection legislation, and that will continue under GDPR. This type of data could create more significant risks to a person’s fundamental rights and freedoms.

Special category data includes things like race, trade union membership, or political affiliation, as well as religious belief. The difference between this and regular data is that in order to process special category data, you will need to satisfy both Section Six and Section Nine of GDPR.

Section Six is where you can demonstrate your lawful basis for processing data, whether that be consent, contract, or legitimate interest. Section Nine is slightly different. This section prohibits the processing of special category data unless you can demonstrate a further basis for processing.

It is true that you can use ‘legitimate interest’ for both of these sections. However, Section Nine specifies that legitimate interest only applies if you can show that you have put the appropriate safeguards in place and that the data is not being shared outside of the church.

While services such as Google Drive and Dropbox will count as a Data Processor for you (the Data Controller) you will need to list all Data Processors you use in order to show that you have fully informed Data Subjects. This is difficult and time-consuming and could easily lead to misinformation.

The ICO have advised us that best practice is to gain explicit consent if you are using any of these services to store or process special category data. Having explicit consent as well as a legitimate interest in processing data will protect your church as well as your members and visitors. You can read more about the ICO’s advice on special category data on their website.

Criminal conviction data should be approached in a similar way. You will need to satisfy Section Six as well as Section Ten, which severely restricts the processing of data relating to criminal offences and convictions. The Data Protection Bill (2017) which is currently going through Parliament will make provision for organisations such as churches to process this data where they have explicit consent, or they are doing so in order to provide relevant services, or ensure safeguarding.